Info Commissioner admits 'It's going to be tough'

Improving FoI compliance - with extreme prejudice

Common Topics

He can't put a figure on it, but suggests that FoI must be saving public services million of pounds every year, just in terms of rooting out expenditure that is difficult to justify.

On data protection, Graham believes that after the warning delivered by the loss of child benefit records, government is putting a lot of effort into ensuring there are no similar disasters. In addition, his office is auditing departments, has the power to carry out assessments of compliance with the Data Protection Act and, since April, has been able to use civil monetary penalties of up to £500,000 for breaches. He promises that penalties are "coming down the track shortly" which will teach organisations that the ICO "is for real and in earnest".

Winning the confidence of the patients and residents is a continuous battle for health authorities or local councils, he believes, and although a fine is a waste of money, the damage to reputation matters more. Over the coming months the ICO's attention will be turned to information sharing and a draft code on the matter, published for consultation in October, aims to help organisations make the best use of technology to deliver better services without losing public confidence.

Graham says it's important to provide good guidance and that the ICO is not just a "scowling regulator itching to impose fines".

"We are not a regulator that gets off on regulation," he states. "We want to help the vast majority who do things properly to do things even better and get stuff done, and we don't want to get in their hair.

"But we do want to get into the hair of the minority of operators who either know and don't care, or who don't take the trouble to find out what their obligations are, and make a compete mess of data protection."

The NHS appears to have particular problems with data protection, but the commissioner says that because the health service has had a "torrid time" with data breaches over the years, it now has specific obligations for reporting them. The fact that it reports a lot of breaches to the ICO does not necessarily mean it is the worst offender, however, and Graham suspects there are an awful lot of breaches going on elsewhere that he doesn't get to hear about.

"On the other hand I weep when I see headlines, as I did in the local paper the other day, 'medical records left at bus stop'. And you think, where have people been for the last five or 10 years."

He has ongoing concerns about the increasing amount of data held by the police and says that the only recent change is that the government's adviser on criminality information, Sunita Mason, supported his view that police forces had to be better at securing information.

Outsouring, offshoring and cloud computing all pose particular security threats. The commissioner argues that data controllers have to put in place the best arrangements possible so that contractors are clear about good practice and lines of responsibility.

"It's not a defence to say 'It's all very difficult and the technology ran away with me', if you can't demonstrate to me that you have taken every step to safeguard individuals' information," he maintains.

As to priorities for the coming year, he says that in addition to helping to free up more information and help organisations avoid catastrophic mistakes with other people's data, he would like his office to be more obviously independent of government.

"I would like to be in the position that the parliamentary ombudsman is in," he says. "Ann Abraham is reporting directly to Parliament, whereas the ICO reports through the Ministry of Justice.

"It would help me see off some of the swivel-eyed critics of the Information Commissioner's Office who think it's all a government plot."

By the end of the interview the weather outside is brighter, but the financial forecast is unsettled and Graham predicts that "doing more for less will be key".

How will he achieve this? "Well, I have a day tomorrow working out how we will manage that. But thinking over the next three years or so, it's going to be tough."

Christopher Graham will be among the speakers at Kable's Information Security and Identity Management in the Public Sector conference, taking place in London on 3 November.